When designing/deploying Exchange within a dispersed environment with segregated Exchange or Active Directory administration itís important to consider the functionality of Role Based Access Control (RBAC) within Exchange and the function of the Trusted Subsystem. This is directly applicable to how ĎLocal Administratorsí are defined for all Exchange Servers within the environment.

As youíll find, all commands that are executed in either the Exchange Management Shell or the Exchange Management Console are not executed under the security context of your user account. Instead the RBAC components of Exchange take the commands and evaluate it against the Role Group(s) that you have been assigned and any policies that have been granted. If authorized to do so the commands are then executed against Windows, AD or Exchange under the security context of the Exchange server, a member of the ďExchange Trusted SubsystemĒ.

The Exchange Trusted Subsystem is a highly privileged universal security group that has access to read or modify all Exchange related objects and attributes within Active Directory, effectively making the Exchange Trusted Subsystem an organization-wide Exchange Super user. Because of this local administrator privileges over all of your Exchange servers should be highly restricted to only the most trusted administrators in your organization.

Effectively speaking, this means that anyone that has local administration privileges over a single Exchange server within your organization should be considered, by extension, a full Exchange Organization Administrator as well as Local Administrator against all other Exchange servers.

I know Iím way past due on posting, Iíve been spending a good deal of time preparing for E14 (and hopefully when the time is right some E14 content to post)!

Despite the CAPTCHA I put in place nearly a year ago Iíve had a good deal of ongoing comment SPAM on the blog. I donít understand why someone would repeatedly lurk on my blog, often for an hour or more, posting their comment SPAM. Especially after they see all their comments suddenly disappear an hour later when I execute a quick SQL one-liner wiping out the nuisance. Youíd think after the first dozen or so times they would figure it out and stop wasting their time. To put an end to this Iíve started moderating all comment posts, so nothing will appear until approved.